This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

We have a monitoring system on our Windows 7 Ultimate ( 64 bit, SP 1 ) that pings 1000+ IPs every 30 seconds to record latency and "uptime". I have 3 IPs so far that work on every other connection/computer I try.

I have verified firewall ( hardware ) is doing everything properly. I am able to ping the same IPs from another server we have at the same location. I have tried pinging with the software firewall turned off and the anti-virus program off and no effect. I have rebooted twice ( before and after the most recent updated for windows ), both times I have been able to ping those IPs for probably about 10+ minutes and then I get host unreachable from then on.

I started using Wireshark to packet sniff and I see the ping packet is getting a reply, which is very odd. Obviously the host is reachable because the ping packet reply came back in. So the question is what is causing the ping ICMP packet to report as unreachable. Anyone have any ideas?

I changed the IP to xx.xx in the example below as well as the reply packet.

/// Ping Packet ( Sent / Received )

29  0.071804    192.168.2.112   64.105.xx.xx    ICMP    Echo (ping) request  (id=0x0018, seq(be/le)=2829/3339, ttl=128)
44  0.143773    64.105.xx.xx    192.168.2.112   ICMP    Echo (ping) reply    (id=0x0008, seq(be/le)=2829/3339, ttl=51)

// Reply Packet

0000  00 30 48 b9 80 5b 00 06  b1 0e 7a 44 08 00 45 00   .0H..[.. ..zD..E.
0010  00 3c da e7 00 00 33 01  76 0f 40 69 xx xx c0 a8   .<....3. [email protected]
0020  02 70 00 00 4a 47 00 08  0b 0d 61 62 63 64 65 66   .p..JG.. ..abcdef
0030  67 68 69 6a 6b 6c 6d 6e  6f 70 71 72 73 74 75 76   ghijklmn opqrstuv
0040  77 61 62 63 64 65 66 67  68 69                     wabcdefg hi

asked 05 May '11, 15:21

wolfjlupus's gravatar image

wolfjlupus
6113
accept rate: 0%

edited 05 May '11, 15:46

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245


The ICMP ID's are not the same. So the PING program will not match the response to the request. It looks like a device between 192.168.2.112 and 64.105.xx.xx is messing up the ICMP ID's. Is there a NAT device in place between those hosts? Maybe it's tables are not large enough to translate that many ICMP packets.

permanent link

answered 05 May '11, 15:50

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

Thank you Synbit, further packet sniffing at the firewall level shows it is the Sonicwall doing improper NATing even though it's set up properly. Once I removed the outbound NAT policy for it's specific IP it started working. The Sonicwall probably needs to be factory reset as it's pretty old and has been running for a long time.

(10 May '11, 15:40) wolfjlupus
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×103
×74
×43
×5
×4

question asked: 05 May '11, 15:21

question was seen: 7,100 times

last updated: 10 May '11, 15:40

p​o​w​e​r​e​d by O​S​Q​A